05/01/20 06 MOM 14rl9 FAX 7 03518 5 4 9 9 S/P.l 5. 

Application No.: 09/955.222 Pocket No,: 30003038-2US 

REMARKS 

This Is in full and timely response to the above-identified Office Action. The above listing of 
the claims supersedes any previous listing. Favorable reexamination and reconsideration is 
respectfully requested In view of the preceding amendments and the following remarks. 

Relectlons under 35 USC S 112 

In this response minor amendments to the claims Inave been proposed to improve syntax 
and form. These amendments neither affect the scope of the claims nor raise any question as to 
whether a further search or consideration is necessary. 

The Applicant, however, traverses the position taken by the Examiner that the use of the 
term "substantially" renders the claims indefinite, indeed, the removal of this term could be seen 
as having a marked effect on the scope of the claim from which It is removed. The Examiner's 
attention is called to the fact that the use of the terni "substantially" in the context that It used, 
actually emphasizes the difference rather than diluting the same. That is to say, just any difference 
and a substantial difference are seen as being substantially different. Indeed, it is not seen that the 
use of this term requires a standard for ascertaining the "requisite degree" or that one of ordinary 
skill in the art would fail to be reasonably appraised of the scope of the invention due to the use of 
this term. 

It is also noted that, on page 4 of this Oflnce Action, the Examiner has stated that "Spies 
does not specifically disclose an index further comprising credential information differing 
substantlallv from the credential such that the credential is not disciosed by the index." (Emphasis 
added) It is submitted that, at least for the sake of rejection, the tenn "substantially" has not 
presented any lack of clarity. 

Favorable reconsideration is respectfully requested. 

Relectlons under 35 USC S 103 

The rejection of claims 1-21 under 35 USC § 103(a) as being unpatentable over Spies et al. 
(U.S. Patent 5,689,565) In view of Schiedt et al. (U.S. Patent 6.754,820), is traversed. 

In a nutshell, the Spies reference discloses the Idea that cryptographic operations are 
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suppiied to a local application by means of a driver architecture. An application calls a standard 
interface, which selects a specific service provider (a.k.a. library) to perform the cryptographic 
operation. This is all local to the machine. As part of the initialization the service provides supply a 
set of services that they offer. 

The Scheldt et al. reference discloses an object (e.g. a word document) needs to be 
protected so that only particular individuals can access it. (Role based Access Control). The 
mechanism used to achieve this is such as to encrypt the document with a random key. This 
random key is then encrypted in multiple ways so that each of the potential assessors can decrypt 
it in the specific way. 

In comparison, the dairrted an^ngement is such that a list of credential types that one is 
prepared to disclose, Is sent The recipient selects which aredential types are such as to provide 
an acceptable assurance. This selection is sent back to the user and the user reveals the chosen 
credentials. 

The Spies reference uses the advertising of the services provided by each of the Installed 
cryptographic modules. The CAPI Interface diooses the appropriate module to perform the 
desired cryptographic operation. The modules reveal a set of services they offer - rather than a set 
of criedentials they are prepared to reveal - ego no credential index is sent or reviewed for selection 
purposes. 

The Scheldt et al. reference sets fc«1h an arangement wherein the only certain parties are 
— permitted to access an object. The object is "in full view of everyone" however not everyone can 

decrypt. In the claimed anrar>gement the credentials are supplied to only those who ask for them 
and there is no notion of withholding infomiation - merely streamlining the choosing of acceptable 
credentials. 

The Spies/Scheidt arrangements use the Idea that Installed ^ftware registers its capability. 
This is then used to choose a software module when a specific cryptographic capability is requin^. 
A dislind difference with the claimed subjed matter is that the daimed an'angement is open ended. 
The fact that al] of the credentials can be understood is not important, just if there are some 
credentials that are understood and accepted. 

In this Office Adion the Examiner has taken the position that Spies discloses a credential 
index by "showing level of user profiles for the purpose of validating user's access to date 

-8- 

PAGE 9/15 • RCVD AT 5/1A2008 2:19:02 PM [Eastern DayUght Time] • SVR:USPTO-EFXRF-1/9 ■ DNIS:2738300 - C SID: 7035 185499 * D URATION (mm-ss):07-30 



BEST AVArLABLE COPY 



05/'01/2006 M0N__1.1:_2 0 FAX „7 0 3518 54 9 9 [ 0010/015 

Application No.: 09/955,222 Docket No,; 300Q3038^2US 

Information," Indeed on page 13 of this Office Action, the Examiner has taken the pains to spedfv 
that Spies discloses 'the old Is the credential index, d.sub.c is the category, x.sub.c is the private 
key for the credential, y.sub.c is the public key for the credential, and .iambda..sub.c is the MLA 
level defined for the credential by the domain authority. " Column 7, line 14 to column 8, line 63 
and column 10 lines 10-65 are cited as supporting this posit ton. 

However , a review of the cited sections of the Spies reference reveals a total dearth of this 
disclosure. In fad, an electronic review of the whole Spies reference reveals that there is no 
".sub.c" disclosed anywhere in the document, let alone the values quoted as refuting the 
Applicant's position that Spies does not in fact disclose a "cmdential index." 

It is therefore submitted that the very foundation for the Examiner's position is evidenced as 
missing alono with any support for a tenable argument that could cogently refute the Applicant's 
position that Spies does no t disclose a "credential index," It is therefore submitted that the rejection 
almost seems based on a different reference and clearly faite to establish a prima tecie case of 
obviousness for at least this reason. 

To establish prima fee/© obviousness of a claimed Invention, all 
the claim limitations must be taught or suggested by the prior 
art. In re Royka, 490 F.2d 981 , 180 USPQ 580 (CCPA 1974). 
MP.E.P. § 2143.03. Accord M.P.E.P. § 706.02G). (Emphasis 
added) 

Further, in order to establish a prima facie case of obviousness, it is necessary to show 
that the hypothetical person of ordinary skill would, without any knowledge of the claimed 
subject matter and without any inventive activity, be motivated to arrive at the claimed subject 
matter given the guidance of the cited references when each is fully considered as statutorily 
required. 

Indeed, if this rejection is to be maintained, proper foundation for the positron ttet that the 
Spies reference teaches the use of a "credential index", in a manner that the hypothetical person of 
ordinary skill would be lead to understand its existence, must be established by at least pointing out 
where the purportedly disclosed values are set forth and how these values would lead the 
hypothetical person of ordinary skill to the position assumed in this rejection. 

Further, even if (arguendo) the disclosure of a "credential index*' per se could be shown to 
exist in the Spies reference, the need exits to demonstrate the claimed interaction actually takes 

-9- 

PAGE 10/15 • RCVD AT 5/1/2006 2:19:02 PM [Eastern Dayligm Time] * SVR:USPT0-EFXRF-1/9 * DNIS:2738300 ' 0810:7035185499 • DURATION (mm-ss):07-30 



BEST AVAILABLE COPY 



05/Q1 /20Q 6 MO M 14:20 FAX 70 351 85 499 

Application No,: 09/955,222 



Docket No-: 30003038-2US 



place between the various parties involved, actually. For example, in connection with the 
requirement In claim 1, for "a user causing a sender to communicate to a recipient a credential 
index", all that is cited is the sender is "participant 22a fig, 1" and the recipient is "participant 
22b fig, 1." At best, all that the rejection Is established is that communication between 22a and 
22b is possible. The "causing" step remains unidentified. Indeed, a careful review of Figs. 1 
and 2, the abstract; column 5, line 21 - column 6. line 24, and column 6, lines 36 - column 7. line 
28, and column 10, lines 10-65, fails to reveal any disclose In Spies of the what the Office Action 
purports to be disclosed. 

For example, the abstract discloses: 

A cryptography system architecture provides cryptographic 
functionality to support an application requiring encryption, 
decryption, signing, and verification of electronic messages. The 
cryptography system has a cryptographic application program 
interface (CAPI) which interfaces with the application to receive 
requests for cryptographic functions. The cryptographic system 
further includes at least one cryptography service provider (CSP) 
that is Independent from, but dynamically accessible by, the CAPI, 
The CSP provides the cryptographic functionality and manages 
the secret cryptographic keys. In particular, the CSP prevents 
exposure of the encryption keys in a non-encrypted form to the 
CAPI or application. The cryptographic system also has a private 
application program interface (PAPI) to provide direct access 
between the CSP and the user. The PAPI enables the user to 
confirm or reject certain requested cryptographic functions, such 
as digitally signing the messages or exportation of keys. 

The Applicant therefore questions as to the pertinence of at least this disclosure with 
respect to the positton taken in this Office Action. 

The an^ngement Spies discloses is such that each of the participants registers a packet of 
Infomnation with an independent third party (i.e. the credential binding sen/er 26 in Figs. 1 and 2) - 
see the registration process described at column 8, line 12 - column 1 1 , line 20. This credential 
binding server 26 then performs a two step verifrcatlon. process ^ see column 10, Iines-48r60: 
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The credential binding server 28 then performs a two-step 
verification technique to verify that the packet actually originated 
from the participant, and not an impostor. At step 96, the 
credential binding server 28 recalculates the participant's 
digital signature by hashing the data contained in the decrypted 
registration pacl<et using the same hashing function employed by 
the participant. The recalculated hash Is then compared with 
the decrypted hash received as a digital signature, i.e„ 
privately encrypted hash, in the registration pacl<et (step 98 In 
FIG. 5). if the two hashes match, the credential binding server Is 
assured both that the registration packet was indeed signed by the 
participant and that the contents have not been subsequently 
altered, (Emphasis added) 



However, at no time does the Spies an^ngement cause a "recipient" to respond to an 
index communicated by a "sender^ by (a) responding to an indication of a selected at least one 
credential communicated by the recipient by selecting at least or^ of the credentials from the 
index of at least one credential provided by the sender, and (b) communicating to the sender an 
indication of the selected at least one credential. This simply does not happen and there is no 
disclosure which even remotely suggests the same. 



Indeed, If this rejertion is to be maintained the Examiner must also establish without 
question that the Spies reference Is such lhaX one of the parties involved selects one credential 
from the Index and requests the other party to provide the credential conresponding to that which is 
selected from the index. Thus, the Examiner must show that the "recipient responds to the index 
communicated by the "sender" by (a) responding to an indication of a selected at least one 
credential communicated by the recipient by seiectino at least one of the credentials from the 
index provided by the sender, and (b) communicating this selection to the "sender", and then 
having the "sender" provide to the "recipient" at least one credential correspondino to the 
selected at least one credential. 



The nsjection of all the pending claims suffers from this fatal shortcoming. The rejection 
cannot be properly maintained in^espective of the dtation of Scheldt et al. Indeed, the teachings of 
Scheldt et al. merely serve to muddy the waters. 
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The Office Action admits Spies does not disclose an index further comprising credentiai 
Information differing "substantially" from the credential such that the credential is not disclosed by 
the index. Because Spies does not disclose the index as daimed, any consideration of the 
proposed modification of this non-dlsclosed/suggested Index with the Scheldt et al. disclosure 
would seem to be mooted. 

The index Spies discloses Indicates the strongest algorithm and key size and is placed 
on each participant's credential; see column 15, lines 25-27. 

While Scheldt et al. mentions a aedential index there is no expectation that the 
hypothetical person of ordinary skill woufd be Inclined to consider a transfer from a reference which 
explicitly mentions a credential index to Spies which, at best, fails to disclose its existence to the 
degree that it cannot even be inferred as existing, merely for the sake of having a feature which is 
set forth in the daims, must be deemed dubious at best. At the very least, if is clear from the 
rejection that the hypothetical person of ordinary skill would need to known that it was appropriate 
to select "seerer from the plurality of disclosed security levels/categories in a^derto make any use 
of the teachings of Scheldt et ai. Just what teachincp in either of the references relied upon for 
rejedion. can be advanced to lead the hypothetical person of ordinary skill to this conciusion, is not 
at all clear, and in fact is submitted as being non-existent. 

A further flaw in this rejedion is found In the position taken by the Examiner in connedion 
with the position taken that the "applicant has recognized another advantage which would flow 
naturally from following the suggestion of the prior art" and that this "cannot be the basis for 
patentability when the difference would othenwise be obvioL^." There is no foundation for this 
position, nor the position that the motivation for combinatfon "wouki have provided sensitivity level 
or multiple ievel access control such that the access to credentials depending on the method of 
member Identification and enforced domain authority didated policies for multiple-level access 
control by credential category." Scheldt column 2, lines 3-24, which Is relied upon to substantiate 
this position, is such as to set forth: 

According to an exemplary aspect of the invention, a user's profile 
("user profile") determines whether and how the user can encrypt 
(write) and decr^t (access) an object, which can be. for example, 
a data instance or a computer pn^ram. A user profile indudes at 
least one credential, and each credential indudes one or both of 
an asymmetric key pair: a credential public key (write authority) 
and a credential private key (access authority). 
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A user can encrypt (or write) an object with one or more particular 
credential public keys Included in the user's profile, such that 
subsequent decryption of the encrypted object by another user (or 
the original user) requires corresponding or otherwise authorized 
credentials. Accordingly, a user can decrypt an encrypted object if 
the user possesses, In that user's profile, credentials 
corresponding to those with which the enaypted object was 
encrypted. A user can select one or more credentials with which to 
interact with a particular object or objects in general, or selection 
of credentials can be automated. 

It is submitted that this disdosure would not lead the reader to the conclusions noted 
above, particularly in light of \he fad that the Spies reference does not, for the reasons advanced 
supra, disclose or suggest the use of a credential index. Clearly, there is notiiino to suggest an 
arrangement wherein a list of credential types that one is prepared to disdose. is sent. Neittier is 
there anything to suggest that tine recipient selects which credential types are such as to provide an 
acceptable assurance and tiiat this selection Is sent back to the user after which the user reveals 
the chosen credentials. In other words, there is nothing to suggest the activity which is recited in 
the daims at least claim 1 or that this is merely another advantage which would flow from the 
combination of the references in question. 

Conclusion 

As vA\l be apparent from the preceding remarks, rt is clear that the rejedion is founded on 
some dearly unsubstantiated positions with resped to what is disclosed in Spies and may have 
been inadvertently motivated by a working knowledge of the claimed subjed matter when 
considering the content of the Scheldt et al. reference when consWering how to ovenx^me a clearly 
acknowledged shortcoming of the Spies disdosure. Accordingly, favorable reconsideration and 
allowance are r^pectfully requested and deemed in order. 
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To the extent necessary, a petition for an extension of time under 37 C,F,R. 1.136 is hereby 
made. Please charge any shortage In fees due in connection with the filing of this paper, including 
extension of time fees, to Deposit Account 08-2025, and please credit any excess fees to such 
deposit account. 



HEWLETT-PACKARD COMPANY 
Intellectual Property Administration 
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